Publications

• University of Maryland’s December 2012 report on a concept for an ICT Supply Chain Risk Management Portal: A Proof of Concept for an Enterprise ICT SCRM Assessment Package
  
  This report stems from a NIST grant to develop an Enterprise ICT SCRM Assessment Package as a proof of concept. This Package is delivered through an ICT SCRM Portal, featuring four major functions: an Initiatives Section; a Library Section; a Forum Section; and, an Enterprise Assessment Section composed of:
  
  
  • A Strategic Readiness Tool that profiles an enterprise’s risk management posture and organizational development status;
  
  
  • A NIST Principles/Practices Tool that asks a portfolio of operational questions;
  
  
  • A Cyber Chain Mapping Tool that provides a rapid method to build a working global map of cyber supply chain assets, transactions and vulnerabilities; and,
  
  
  • A Results Area that enables enterprises to view their ICT SCRM baseline status against three benchmarks: a group of peer enterprises; the Community Framework Model; and an ICT SCRM Capability/Maturity Level.


• NIST Interagency Report (NIST IR) 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems. (Oct. 2012) Click here to view NISTIR 7622.
  
  This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain risk. It seeks to equip federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an understanding of, and visibility throughout, the supply chain.
  
  
• University of Maryland’s December 2011 study on ICT supply chain initiative: The ICT SCRM Community Framework Development Project.
  
  This report, which stems from a NIST grant, inventories the proliferating array of existing public and private sector ICT supply chain initiatives across diverse ICT segment and formulates a framework for defining various initiative within a single SCRM architectures. This framework has three tiers: enterprise risk governance, system integration and operations. Within each tier, the report defines a core set of attributes or distinct organizational capabilities to facilitate the identification and assessment of gaps in coverage in the ICT SCRM community.



• University of Maryland’s April 2011 study on ICT SCRM governance strategies and practices: Assessing Supply Chain Capabilities and Perspectives of the IT Vendor Community.
  
  This report stems from a NIST grant to profile the ICT SCRM governance strategies and practices of over 200 key Federal government vendors. The report contains a UMD developed SCRM tool to enable the strategic self-assessment of SCRM practices and highlights the extent and limitations of SCRM interventions at the unit, enterprise and supply chain levels in small, medium and large companies. The report concludes that “The cyber supply chain discipline is currently in an early emerging state characterized by: a deficient evidence-based body of knowledge; a proliferation and fragmentation of industry best practices and standards groups, generally led by only the largest firms; and a profound under-usage of supply chain-wide risk governance mechanisms inside IT vendors” (p.45).